Hi,

Third party mediation kindly requested!

My developer has refused to work on 6.4 siting that it is too buggy and we should stay with 6.3. I quote;

"we will not be able to work on 6.4. I was thinking of developing your website on 6.3 currently and then upgrade it to 6.4 at the time of end of project. But that isn't a solution as experts say it will take drupal at least 6 months to stabilize 6.4. They might not even take it seriously after the launch of 7, which they say might be unusable for an year or so from its launch due to the high number of bugs it is expected to offer."

Contrary to these claims I also found this:

“Upgrading your existing Drupal 5 and 6 sites is strongly recommended”. Drupal.org

and....

“With regards to 6.3 there were a number of bugs found in the core upload module, which could allow users to edit nodes which they are normally not allowed to, delete any file to which the web server has sufficient rights, and download attachments of nodes to which they have no access. Problems were also found which could allow malicious users to insert script code into pages."

Items such as the following were quoted:

http://drupal.org/node/303876
http://drupal.org/node/313393
http://drupal.org/node/299273
http://drupal.org/node/296458

Does anyone follow this opinion of staying with 6.3 over 6.4?

Thanks in advance,

Mark

Comments

dnewkerk’s picture

Hi Mark -

Apologies to your developer, but I have no idea what he is talking about. To the best of my knowledge there is nothing at all "wrong" with 6.4 and I use it on many sites without any issues. I'm sure there are a few bugs, but... they'll be patched in 6.5 which no doubt might be shortly around the corner. Has your developer listed out direct URLs pointing to the supposed bugs in the issue queue? As for the rest of his quote... not sure who "they" is. Certainly not the core developers, and certainly is not a common sentiment around the drupal.org community, so I would suggest that if he heard that, it was not from a reliable source. He may have noticed the Contributor Links sidebar block here on drupal.org which shows 299 bugs for D7 (which is perfectly normal, as that version is not at all released and under heavy development).

That aside, do "not" stay on 6.3 if the site is accessible to the internet. Always upgrade as soon as possible when a security patch is released (minor version releases are always nothing but bug fixes and security patches... you can wait on an upgrade if it only states that it contains bug fixes... but a security release should be applied as soon as possible or your site will be at risk). Backup thoroughly before upgrades as well.

Wishing you the best of luck :)

-- David
absolutecross.com
[new guide/lesson in progress: Creating a CCK and Views powered Drupal site - feedback welcome]

styro’s picture

And been able reproduce those error reports? Has your developer added any extra information to the error reports? They sure ain't going to get fixed if nobody else does anything, or nobody else can reproduce them.

I notice those issues are fairly light on confirmations - they must be extremely rare or related to something else (and reports like these can be found for nearly every version). Also half of those reports didn't mention anything about happening after an update to 6.4, and could just as easily apply to 6.3 as well.

I'd rather risk those bugs (which you can test for) than leave a site vulnerable. Or would your developer just apply the security patches without updating to 6.4?

I hate to say this but your developer doesn't really sound like they know what they are talking about, or how Drupal is developed. "Experts say that 6.4 will take 6 months to stabilise" huh? Who are these "experts"? 6.4 is 6.4 and will stay 6.4 forever - there is no stabilisation that will be done to 6.4. 6.5 will fix some bugs that were still in 6.4, just like 6.4 fixed some bugs still in 6.3 etc etc. And no, 6.x bug fixes will not get ignored after 7.0 is released - it is 5.x bug fixing that will get dropped after Drupal 7 (unless the community resources the extra ongoing support for 5.x).

I think you should ask for better justifications and evidence than that.

--
Anton

minesota’s picture

The installation with 6.4 on standard shared server needs a very little tweak and nothing serious at all.
After installation the core 6.4 runs fine and fast.

If the issues are with some modules, then requesting support in the issue threads may help.

dutchie76’s picture

Firstly thanks for the useful feedback. Your responses echoes my concerns and my argument with the development team. However, despite my insistences they flatly refuse to upgrade from 6.3.

Just to provide a little history.....They have just completed a project developed on 6.3. The site is live, essentially works well but has not yet been upgraded. The next project has been started and will eventually be installed on the same Drupal installation using multi-site install. The say that they must develop the new project on the same, tried and tested D6.3 installation. The reason being, that there will be guaranteed problems if the site is upgraded. Based on your feedback it seems that there might be another reason for not upgrading.

Their argument, if it works on 6.3 there is no need to upgrade and the risk of certain modules not working or modified modules not working is high. I have a suspicion that they may have used some hard coding of core and certain module files which I guess would make upgrading a nightmare.

After much persuasion they have agreed to install the latest security patched (i guess that would now be 6.5) for the new installation.

I just don't understand what the real problem is and why they are so set on not upgrading.

"Has your developer actually tested 6.4?" No they have not tested it.

michelle’s picture

Just to add something I don't think was quite made clear in the other posts:

6.3 to 6.4 (and now 6.5) is not a major upgrade. The number after the decimal point indicates bug/security fixes. The API will only change if it is absolutely essential. Modules are designed to work against a major version number (5.x vs 6.x) and it's extremely rare that they will stop working on a minor upgrade. Major upgrades (5.x to 6.x) are a different story.

To echo what the others have said, 6.5 is a security release. By refusing to upgrade your site, your developers are putting your site and any others on the server at risk for hacking.

Michelle

--------------------------------------
See my Drupal articles and tutorials or come check out life in the Coulee Region.

dnewkerk’s picture

I'm sorry to say (and I hate to say anything negative about anyone), but if your developers believe what they do about Drupal upgrades, then they are incompetent Drupal developers, and unfortunately if I were working with them, I would "end the working relationship" immediately. If they did modify core as you suspect, then that is unacceptable. Responsible Drupal developers do not, as a rule, modify core. There are hooks all over with which to alter core's functionality seamlessly without modifying core itself. In the rare instance they might have to modify core for some special case they will clearly discuss the need with their client. And if the client agrees both about the benefit as well as agrees to the consequences, the developer will then use proper tools to track their changes, making it easier to re-apply them. If the changes would be beneficial to everyone, then they would submit a patch toward Drupal's next major version (or even a minor release if the patch is a bug fix).

If they hacked core without disclosing it to you, I recommend that you require them to find out how to make their changes, if possible, correctly with hooks, and at little/no charge to you until the job is completed correctly. If they will not (in which case I personally think you should deserve a significant refund), then hire a developer in their place who can write a module to reproduce their changes without hacking, so you'll be back on track with Drupal and able to upgrade easily in the future without fear or unnecessary delays or expense.

Note: I upgraded a test site the other day literally "overloaded" with modules (more than would ever be needed on most sites) from 6.3 to 6.4... nothing broke. Nothing at all. And it took under 5 minutes start to finish. In fact in 2 years of minor upgrades to "unhacked core", nothing has broken for me even once. Going from 5 to 6 was trickier (core was easy, but modules like Views were harder since it was completely redesigned). Now that 5.11 and 6.5 are out, I plan to test that upgrade once on a local site, then proceed with upgrading 10 or so live sites, backing up first of course as always.

Good luck!

-- David
absolutecross.com
[new guide/lesson in progress: Creating a CCK and Views powered Drupal site - feedback welcome]

styro’s picture

Responsible Drupal developers do not, as a rule, modify core.

And even if in very rare circumstances they absolutely have to, they will use source control properly so that they can easily merge new point releases into their modified codebase so their clients aren't left with vulnerable sites.

--
Anton